LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 09-25-2009, 08:59 AM   #1
fang0654
Member
 
Registered: Oct 2003
Location: New York, NY
Distribution: Ubuntu
Posts: 103

Rep: Reputation: 25
iptables question with OpenVPN (tun0 to tun0 filtering)


I've got a (hopefully) simple question.

I've got an OpenVPN Server, running with various subnets, working perfectly.

What I'm trying to do is block traffic going from VPN Subnet A to VPN Subnet B. I've been able to restrict traffic to the local LAN hosting the VPN server using rules in the FORWARD chain. I can't seem to find a way to control what is routing through the tun0 interface, though.

It is almost as if the tunnel to tunnel routing isn't even going through OpenVPN.

I've set the default policy on FORWARD to DROP, and have been able to block access to the internal lan, but I can still ping client to client. I know just commenting out client-to-client in the server.conf for openvpn will work, but I want to have SOME client to client communication, just not all.

Any recommendations?
 
Old 09-29-2009, 08:28 AM   #2
deadeyes
Member
 
Registered: Aug 2006
Posts: 605

Rep: Reputation: 78
Quote:
Originally Posted by fang0654 View Post
I've got a (hopefully) simple question.

I've got an OpenVPN Server, running with various subnets, working perfectly.

What I'm trying to do is block traffic going from VPN Subnet A to VPN Subnet B. I've been able to restrict traffic to the local LAN hosting the VPN server using rules in the FORWARD chain. I can't seem to find a way to control what is routing through the tun0 interface, though.

It is almost as if the tunnel to tunnel routing isn't even going through OpenVPN.

I've set the default policy on FORWARD to DROP, and have been able to block access to the internal lan, but I can still ping client to client. I know just commenting out client-to-client in the server.conf for openvpn will work, but I want to have SOME client to client communication, just not all.

Any recommendations?
I am not sure what you mean.

You have a vpn server. 2 vpn clients (with a lan behind them) connect.
You should see the traffic on tun0 or similar interface. I would think you can control the traffic by using the tun0, tun1, ... interface in your iptables rules. Maybe it is useful to do a tcpdump to see what is passing with which ip addresses.
 
Old 09-29-2009, 12:06 PM   #3
fang0654
Member
 
Registered: Oct 2003
Location: New York, NY
Distribution: Ubuntu
Posts: 103

Original Poster
Rep: Reputation: 25
Thanks for the response.

I found the problem. When you have that client-to-client directive enabled in the server.conf for openvpn, it actually doesn't route the traffic via the tun0 interface at all, so it never shows up in iptables (or tcpdump, for that matter). When I disabled the directive, then the traffic started getting routed via the interface, and I could control it with iptables.
 
Old 09-30-2009, 02:17 AM   #4
deadeyes
Member
 
Registered: Aug 2006
Posts: 605

Rep: Reputation: 78
Quote:
Originally Posted by fang0654 View Post
Thanks for the response.

I found the problem. When you have that client-to-client directive enabled in the server.conf for openvpn, it actually doesn't route the traffic via the tun0 interface at all, so it never shows up in iptables (or tcpdump, for that matter). When I disabled the directive, then the traffic started getting routed via the interface, and I could control it with iptables.
Interesting... will keep that in mind when using OpenVPN

please do mark your thread as being solved with the thread tools
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN : need help with understanding tun0 and P-t-P jonaskellens Linux - Networking 3 08-24-2009 01:27 AM
creating Iptables for tun0 device johnniealan Linux - Networking 2 05-24-2009 11:04 PM
Iptables/TC: how to make masqueraded traffic go through an openVPN tun0? theVOID Linux - Networking 3 04-25-2008 03:34 AM
difference between tun0 and tun1 birjodh Linux - Networking 5 06-22-2007 05:04 PM
Need tun0 for fedora5. Help!! allkit Linux - Networking 1 03-27-2007 04:14 PM


All times are GMT -5. The time now is 08:40 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration